Planes crashing into planes: the reality of cybercrime?

Action films from the 1980s and today’s IT security vendors have one thing in common: a love of apocalyptic scenarios involving malignant hackers plugging into the usually benign infrastructure that our society relies on - like the planes that ferry people across the globe - and turning them into weapons.

While in the 80s these scenarios were used to draw people to the cinemas, nowadays security vendors use them to encourage people to buy new security products. Given this trend of using fear as a marketing tool, it’s hard to tell where the spin ends and where the real threats begin.

Ty Miller, CTO of penetration testing organisation Pure Hacking, knows of at least one airline that, until recently, was worryingly susceptible to a hack. The airline in question contracted Pure Hacking to undertake an assessment of its network security.

The Pure Hacking crew came to some worrying conclusions.

Miller says they were given a basic network connection, and within a few days they had administrative control over almost all of the airline’s systems. With that kind of access, you can do any number of things, he says, beginning with a simple denial of service (DoS) attack.

“If you can DoS communications to aircraft, or to the air traffic controller, or even DoS systems within the check-in system, it can have significant impact on either security, safety or even just functionality,” Miller says.

Things look even more bleak if you consider that hackers could create virulent software to run on the airline’s specific equipment, once they had access to it.

“A worm … that can actually run on avionics equipment, within the aircraft itself. That could potentially do things like take control of information being displayed in the flight deck, it could do things like turn off your landing gear, or dump all your fuel, or suddenly turn you into a nosedive. And not necessarily just on one plane either - it could potentially infect a whole fleet of planes.”

You might think it unlikely that an airline would just hand over a network connection to a hacker. And you might also think that if a network is totally removed from any public networks like the internet it’s safe from attack.

You would be wrong.

You only have to look back as far as July 2010 to the Stuxnet attack on an Iranian nuclear facility to see why. The network in question at this particular nuclear facility was indeed not connected to the internet. And yet, it was compromised, Miller explains, because employees introduced infected USB sticks into the facility’s computers, enabling the attack to succeed.

“Stuxnet was designed to infect Iran’s nuclear enrichment facilities and spin up the machines to speeds that they couldn’t handle. They kept doing that until they broke and basically destroyed the facility, rather than actually bombing it or going in and taking it out,” he says.

Stuxnet is also important because it demonstrates the capacity for hackers to approach a target in multiple stages. In such a multistage attack, hackers will breach several related systems before the attack on their actual target, in order to gather more information on the system they want to assault. Thus, they can circumnavigate particular parts of a security system or plant malware with commands specific to the target system - such as “point the nose of the plane towards the ground”.

Miller explains: “To actually gather the information necessary to create some of these worms, they actually have to break into a whole number of different companies in order to pull all of the information together.”

In the case of Stuxnet, Miller says, “They needed the detailed designs for the nuclear enrichment plant. They also had to break into two different Taiwanese manufacturers of the hardware to get private keys and designs.”

Stuxnet also shows that there are large organisations that have the time, money and manpower to pull off a large-scale attack on a high-profile and fairly well-defended target.

“They’re being created by groups of people who are well funded and have access to intelligence,” Miller says.

Here and now?

So we know from Miller’s experience that at least some airlines have network security holes that are waiting to be exploited. And thanks to Stuxnet, we know that there are well-funded organisations with the foresight and resources to plan long-term, multistage attacks that can overcome boundaries previously considered impenetrable, in order to plant malware tailored to control or damage specific pieces of equipment.

This gives us a solid basis for a hypothetical plane-hijacking scenario. And according to Miller, it’s one that could “absolutely” translate into a real-world occurrence - not in the future, but today.

“These types of attacks are real - because we’ve seen it with Stuxnet. You can apply the same sort of concepts across a number of different industries,” he says.

But, he says, “the likelihood of it is low. It’s unlikely that it’s going to happen, but it is possible. It’s just that the impact is so high - if you can force a whole aircraft to drop out of the sky, then it’s major. It could potentially be the next 9/11.”